Extracted

• • Target

    4f7771816a61eee6220b7e56ffd96e377dc5783b5bb6cba0ee39dbb25b9e4ce6

  • Size

    681KB

  • MD5

    bf11911b6520870ace83bf94f86647f1

  • SHA1

    23f7fa2eb9a8f88899fa19dbd6296fdf0d377c57

  • SHA256

    4f7771816a61eee6220b7e56ffd96e377dc5783b5bb6cba0ee39dbb25b9e4ce6

  • SHA512

    5574d6b4ccb2591c0b68c533f7003b246e737ce562da407902cdd79d998a39dd7d607dfaaf2b16b02c261a4c5733eb91cf2e54ebe9e384bb1416a89eb87d6468

  • SSDEEP

    12288:UvbDA/K+AhaGMeXBCr4H8HqdaWluvNBtYSBmxmKVdBkhmY8RVp+InboA:gkBvGVs4vdRKHYSoxRSmYG7bl

  Score

  10^/10

  agentteslaevasionexecutionkeyloggerspywarestealertrojan

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2